Devices that perform financial transactions, also referred to herein as financial transaction devices, are generally at risk from being misused to perform criminal activity. Financial transaction devices are typically designed with various security features that defend against this type of risk. One type of security feature is to require each user of the device to enter a user code, such as a personal identification number (PIN), along with other transaction related information as a pre-condition for using the device to execute a financial transaction. A device that requires an entry of a PIN as a pre-condition of its use is generally referred to as a PIN Entry Device (PED).
The PIN and other transaction related information are typically encrypted using a PIN encryption and cryptographic key and transmitted by the device to a host computer. The host computer attempts to verify that the encrypted PIN and other transaction data are correct, and if correct, further processes the transaction. The encrypted PIN and other transaction data is “correct” if it associates with an account number typically referenced within the transaction data.
A transaction typically involves a buyer and a seller. Processing the transaction may involve debiting an account of a buyer in the transaction (typically the user of the PED) and crediting an account of the seller of the transaction (typically a retail store business entity supplying the PED). The encryption of the PIN and the other transaction data prior to transmission of the data protects against revealing the unencrypted data to parties that may be listening (eavesdropping) and/or intercepting the data during its transmission or processing.